Spyware Weekly Newsletter :· August 5, 2003
The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Please read our Terms of Use for quoting guidelines. http://www.spywareinfoforum.info/newlsetter/aug5,2003.
A Law to STOP Spyware
Finally! The problem of advertising spyware has attracted the attention of a politician, and she intends to put a stop to it!
Congresswoman Mary Bono of California has introduced the Safeguard Against Privacy Invasions Act. The Act would force spyware companies to display a very prominent warning that it is about to install and would require the user's permission before it continued. Companies that collect personally identifiable information would have to post an extra notice to inform the user of that.
"Companies that utilize spyware can sometimes view everything from passwords to credit card numbers of unknowing consumers," Ms. Bono has stated. "Through this bill, users will knowingly agree to the conditions under which spyware operates before it can be installed on their computers."
One concern which must be addressed is to what sort of software does this act apply. The term "spyware" is overused on the internet, and often is applied to products that don't fit the definition. I sincerely hope that this law is not written in such a way as to allow invasive adware and browser hijackers free reign because they don't fit a precise definition created with Congresswoman Bono's legislation.
I'll go looking around for the text of the legislation later this week and give it a read. Certainly, I will be keeping my eye on it. The problem of predatory software on the internet should have long since drawn the notice of Congress, and I for one am glad it has.
Related:
http://www.spywareinfoforum.info/newlsetter/rd/sapia/ :: U.S. lawmaker wants limits to spyware
http://www.spywareinfoforum.info/articles/spyware/ :: Spyware Defined
Citizen Databases Crippled
Projects denied funding, Poindexter takes a hike
A triple blow has been dealt to controversial government projects that would have created vast databases of information about United States citizens.
Last month, the US Senate voted unanimously to withhold most of the funding needed to run the Terrorism Information Awareness (TIA) project, a creation of the Pentagon. The project would have compiled and maintained an enormous database of information about citizens, including financial and credit history, medial records, employment records, and tax records among other things.
The project recently came under fire after a plan became public to allow financial traders to place bets on future terrorist attacks. Under this plan, people would have profited if they accurately predicted a terrorist act. A storm of outrage greeted news of this plan, and it quickly was denounced by the Department of Defense. Senators Byron Dorgan and Ron Wyden called the idea "morally repugnant".
Heading these projects was retired Admiral John Poindexter, the man convicted in the 1980's of lying to Congress during the Iran-Contra hearings. Poindexter's involvement in such a project drew widespread criticism. In the past, Poindexter has shown contemptuous disregard for the privacy rights of Americans and for the necessity of citizen oversight of government. Poindexter has resigned as Director of TIA in the wake of the terrorism trading controversy.
Another plan, Computer Assisted Passenger Pre-screening System (CAPPS II), that would have married intelligence agencies' data with information in airport and airline databases has also been modified heavily by the Department of Homeland Security (DHS). The DHS said it will narrow how a computer system, operated by the Transportation Security Administration, will use passenger information collected into the next generation of CAPPS II. Like TIA, CAPPS II also came under widespread criticism from privacy advocates who say it goes too far in violating unnecessarily the privacy of airline passengers.
Under the new guidelines, as laid down by Homeland Security, passengers will be asked to provide a name, date of birth, home address, and phone number when making reservations. However, bank records, medical records, and credit reports will not be used in profiling. In most cases, the information gathered while screening will be deleted soon after the flight has landed.
Although neither the TIA or CAPPS II is permanently dead, for now, both programs have been curtailed severely and will present a much reduced threat to civil and privacy rights. And you never know, under their present limitations, they may have no choice but to keep track of actual terrorists instead of tracking every living American as the original plans intended.
Nah, that would make far too much sense for a government program.
Links:
http://www.bayarea.com/mld/cctimes/news/6434712.htm :: Poindexter resigns
http://www.pcworld.com/news/article/0,aid,111626,00.asp :: TIA denied funding
http://www.pcworld.com/news/article/0,aid,111850,tk,dn080103X,00.asp :: CAPPS II revised
Who Watches the Watcher?
What does every single oppressive, tyrannical government and dictator in history have in common? They control all means of distributing news. They conceal every action taken by government agents as they enforce the will of the government. The rulers of a tyrannical nation are accountable to no one, and they commit horrifying atrocities to keep it that way. No review or criticism by the citizens are allowed.
Some of the most brutal and oppressive dictators in history have thrived under these conditions. Hitler, Stalin, and Mao all controlled the distribution of information in their countries during their reign. They operated in complete secrecy and allowed no common citizen to know what their agents were investigating.
Unless the government is held accountable for its actions, it will grow ever more oppressive and abusive. This is why citizen oversight of government activities is not just a good idea in the United States, it is a requirement for the continuation of our 227 year old tradition of freedom.
When government agents are given free reign to poke their noses into the lives of citizens and are not forced to account for this activity to the civilian authorities, you end up with the FBI creating a dossier on Martin Luther King. When the FBI can snoop into the lives of citizens, and not be forced to report to someone that they are doing so, you end up with J Edgar Hoover gathering information to blackmail his political rivals.
Americans tend to scoff at the idea of our government doing the sort of thing oppressive, dictatorial governments do elsewhere. Sadly, this is not so. As you can see in the examples above, the US government is just as prone as every other government to abusing its power at the expense of the general population. What was it that put a stop to the abuses mentioned in those examples?
In the shock and outrage that followed public exposure of some of the worst excesses being carried out by government agents, tough new laws were enacted that required all federal agencies to account for everything they did by reporting it to the US Congress. Nothing could be left out, not even foreign intelligence operations.
Additionally, the Freedom of Information Act was extended to allow citizens to request copies of law enforcement records. This made the FBI accountable to the people for everything it did. Meetings by public officials became subject to "open meetings" laws, which required that any member of the public could attend a public meeting.
These and other laws help prevent America from becoming just as secretive and oppressive as the "Evil Empire" that was our mortal enemy for so many years. When public officials are held accountable for their actions by the very people over which they have authority, they are far less likely to wield that authority in a manner that harms those people.
In other words, knowing that the public is watching what they do and knowing that they have to account for their actions, reigns in the natural tendency of a bureaucrat to abuse his power for personal gain.
Tragically, for the past two years, powerful government officials have been attacking this vital check on government excess. Freedom of Information Act requests have been refused. Demands to know the identity, whereabouts, and condition of thousands of individuals arrested shortly after the terrorist attacks of 2001 have gone unanswered. The United States Attorney General, the person charged with defending the letter and spirit of the Constitution, has encouraged government agencies to refuse all requests for information and to resist all efforts to force compliance with oversight laws.
Even some of the new laws put on the books since the attacks run counter to the open government requirements. The infamous Patriot Act allows for the seizure of book buying and library borrowing habits without the need to obtain a proper search warrant. If the book seller or librarian informs the person being investigated that law enforcement has seized his records, that book seller or librarian goes to prison. Several book sellers are so outraged by this that they voluntarily have purged the records of their customers. One such book seller is Bear Pond Books of Vermont.
Thankfully, Congress finally is waking up and beginning to realize what a bloody mess it made in the wake of the 9-11 attacks. Not only is Congress crippling invasive, unnecessary government projects that threaten our civil liberties, they are once again asserting their right to be informed of government activities.
Civil liberties groups including the Electronic Frontier Foundation and the Center for Democracy and Technology are throwing their support behind a piece of legislation that would require U.S. agencies to report to Congress about the personal information they collect.
Senator Ron Wyden, a Democrat from Oregon, introduced the Citizens' Protection in Federal Databases Act of 2003 on Tuesday. The bill would require federal law enforcement and intelligence agencies to disclose when they subscribe to commercial databases of personal information.
Wyden's legislation would require reports from U.S. agencies including the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of Defense, and U.S. Federal Bureau of Investigation. The reports would have to disclose agency contracts to obtain commercial data, how the agencies analyze the data, and the privacy guidelines used by the agencies.
The bill also prohibits all federal agencies from conducting searches of commercial data to create hypothetical scenarios of future terrorist attacks.
I see this as being very good news. The representatives of the people are beginning to remember who they work for, and this is a very good start on putting the government back into the control of the people.
I'll end this article with the words of one of America's greatest, most revered leaders.
"A popular government, without popular information, or the means of
acquiring it, is but a Prologue to a Farce or a Tragedy - or perhaps both.
Knowledge will forever govern ignorance, and a people who mean to be their own
Governors must arm themselves with the power which knowledge gives."
- James Madison
Links:
http://www.bearpondbooks.com :: Bear Pond Books
http://www.pcworld.com/news/article/0,aid,111845,tk,dn080103X,00.asp :: Bill Calls for Reports on Data Searches
Featured Site
The End of Medical Privacy
http://www.medicalprivacycoalition.org
The Medical Privacy Coalition is a national partnership of organizations concerned about the threat to Americans' fundamental right to protect their medical information. Individual partners of the coalition do not necessarily support any one particular legal challenge or legislative effort listed on the website.
April 14, 2003 marks the final compliance date of a new Medical Privacy Rule issued by the U.S. Department of Health and Human Services (HHS). The Rule was supposed to provide new and stronger federal privacy protections so that individuals would not lose trust in the health delivery system as a result of the streamlined transmission standards mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to facilitate the computerized storage and dissemination of health information.
Unfortunately, the Rule eliminates the right of citizens to control the use and disclosure of their personal health information for most purposes and grants blanket "regulatory permission" to thousands of entities (insurers, clearing houses, law firms, consulting firms, billing and collection firms, potential purchasers, and many others) to gain access to that information without the citizen's knowledge or consent and even against his or her wishes.
Service Pack Unlocks the Backdoor?
Service Pack 4 for Windows 2000 was released recently. Considering the invasive and consumer-hostile behavior of Microsoft these days, I always wait a month or two after a service pack is released before I install it. I also wait at least a week or two before I install other updates. I want to see what people are saying about the updates before I install them myself.
A posting by one person on a web site caught my eye the other day, and I thought I'd pass it along.
http://www.w2knews.com/anecdotes.htm
Just some more on the Service Pack 4 fun: I regularly disable the Automatic Updates and the BITS services on my servers (still don't like the idea of the servers talking to Microsoft, regardless of the intent - I have users to support and need to ensure servers are running). It seems SP4 will set those two services to run again (setting the Automatic Updates service to Automatic). I've not looked in depth for other "features", yet, but thought this one interesting enough to pass on.
If this is true, then I will not be installing Service Pack 4. An update "service" that downloads and installs software without user action and cannot be disabled is little different from a backdoor trojan in my opinion.
I refuse to use software that doesn't allow me to disable its updater. If it does provide the option, I usually let it run anyway as long as all it is does is alert me to an update. However, nothing runs on my computer that installs software without my permission.
This is the only place I've seen a report of this. I'll be keeping an eye out for similar reports and let you know if I see it elsewhere.
Update
Ok, you caught me. I goofed. 
I misunderstood what the person I quoted was saying. I thought he was saying the service pack was repeatedly turning the updater back on. According to others who have this service pack that have written to me, it appears that what the poster meant was that it turned his update service back on once during the service pack installation.
In other words, while the service pack does turn on a service you may have chosen to disable, it only does so once, during the installation. Once you turn it off yourself, it stays off. I apologize for the confusion.
To the several dozen people that have written to point out my mistake politely, thank you.
To the trolls who felt the need to send juvenile flame mail, I have a word to introduce to your vocabulary. That word is "maturity", which you can read all about here.
Recommend SpywareInfo to a friend
Do you like SpywareInfo and this newsletter? Then please tell a few friends about it! We are trying to come up with ways to increase the number of visitors to the web site and the number of subscribers of this newsletter.
Recently I signed up for RecommendIt's service, also used by Scot Finnie and Fred Langa. When you use RecommendIt's service to send a link to a friend or family member, you can also choose to enter a contest with a grand prize of $10,000.
The privacy policy of the site looks solid and I did ask around if anyone had heard anything bad about it before I signed up for it. You can use their service to recommend SpywareInfo to someone you know at http://www.recommend-it.com/l.z.e?s=881459
Of course, you don't *have* to use RecommendIt's site to send a friend a link to the site. Just sending an email will also do the trick.
Links:
http://www.scotsnewsletter.com Scot Finnie's Newsletter
http://www.langa.com/newsletter.htm The Langalist
